Amendments to Federal Law No. 152-FZ of July 27, 2006, which clarifies the issues of processing, storage and access to personal data (PD), were introduced by Federal Law No. 519-FZ of December 30, 2020.
The amendments solve the problem of uncontrolled use of citizens’ personal data by third parties.
In this article we will consider the following questions:
- What has changed in the processing of personal data since March 1
- Requirements for the processing of personal data
- What are fines for and how much in 2021?
- What should a website owner do to avoid fines?
- Confidentiality of personal data: when it does not need to be ensured
- When you do not need to obtain consent to process personal data
- What is a personal data portal
- How else do they plan to tighten the processing of personal data?
What has changed in the processing of personal data since March 1
It follows from Federal Law No. 519-FZ of December 30, 2020 that:
- Silence or inaction under no circumstances can be regarded as consent to the processing of personal data.
- Consent to the processing of PD permitted for distribution is provided separately. The operator is obliged to provide the PD subject with the opportunity to determine the list of personal data for each category specified in the consent to processing.
- In the consent to the processing of personal data permitted for distribution, it is possible to establish prohibitions on the transfer of this personal data to an unlimited number of persons, as well as prohibitions on the processing or conditions for the processing of data by an unlimited number of persons. The operator has no right to refuse in this case.
How to stop sharing permissioned data
The law obliges us to stop the transfer of personal data permitted for distribution at any time at the request of the subject.
To do this, you need to fill out the request correctly, that is, indicate the following information:
- FULL NAME;
- Contact details;
- list of personal data the processing of which must be stopped.
The specified PD can only be processed by the operator to whom it is sent.
Consent to the processing of personal data: new requirements from September 1, 2021
Employee and employer
It is customary for a company to classify personal information as confidential information when there is a special operating mode and a plan for protecting all available employee data. Often, conflicts on this controversial topic arise at enterprises where disclosure and transfer of employee personal data to third parties is possible only on the basis of written consent. Employees who, as part of their duties, have received and legally possess the data of colleagues are obliged to use them only for their intended purpose and under no circumstances disclose the information. Exceptions can only be determined by federal laws.
Requirements for the processing of personal data
Over the past few years, special attention has been paid to working with personal data of individuals. Key changes occurred in 2021, when Federal Law No. 13-FZ dated 02/07/2017 amended Art. 13.11 Code of Administrative Offences. Then the list of grounds for bringing to administrative responsibility for illegal processing of personal data (PD) was noticeably expanded and fines were increased.
Federal Law No. 152-FZ of July 27, 2006 defines three key concepts around which disputes often arise: personal data, operator and processing of personal data.
Personal data – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).
Operator - a state body, municipal body, legal or natural person, alone or jointly with other persons:
- organizing and (or) processing PD;
- defining the purposes of PD processing, the composition of PD to be processed, actions (operations) performed with PD.
Processing of personal data - any action or set of actions performed with or without automation tools with PD: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access) , depersonalization, blocking, deletion, destruction.
The law does not directly specify what data is personal, but, based on the wording that this is “any information” relating to an individual, then PD includes (together and even separately):
- Full name
- Date of Birth
- address
- telephone
- email address
- photo
- link to personal website
- link to profile on social networks
In a word, we are talking about any data that can be used to identify a person. Therefore, if you somehow receive such data in any combination, then you are the operator of personal data. In fact, any website owner is an operator of personal data, since he places a feedback form, registration form, etc. on his resource.
In 152-FZ, operators are divided into several categories: individuals, individual entrepreneurs, legal entities, municipal bodies, government bodies. Depending on the category, fines of different sizes are applied for the same violation. For example, for individuals they are noticeably lower than for legal entities.
Each category of operators is faced with the processing of personal data in one way or another. Individuals use clients’ PD. Individual entrepreneurs request this data when hiring specialists for work, or collect personal data on a website or online store. Legal entities are subject to an expanded list of requirements for the preparation of necessary documents and the requirement to appoint a person responsible for organizing the processing of personal data. The most stringent requirements are imposed on state and municipal bodies that work with a huge array of citizens’ personal data.
Exclusive rights
Some organizations that need this information to perform their functions have the ability to obtain personal data about an employee:
- Representatives of pension and social insurance funds.
- Federal Labor Inspectorate and state bodies supervising and monitoring compliance with labor legislation.
- Tax office.
- Trade unions, executive power in the investigation of industrial accidents.
Residents of this category must observe a regime of secrecy, the intended use of all collected information, and bear responsibility for the transfer of personal data to third parties. And if you personally wish to publish and distribute them.
What are fines for and how much in 2021?
On March 27, Federal Law No. 19-FZ of February 24, 2021 comes into force, which significantly increases fines for violations in working with personal data.
The last time administrative responsibility in this area was increased was in 2021. But from the end of March, the amount of fines will not just double.
Please note the following innovations:
1. Any violations in the field of processing personal data will now be immediately fined. Previously, such a sanction as a warning was provided.
2. Until March 27, 2021, repeated violation was not identified as an independent offense. And now it will stand out, and the fines for it will be several times higher than for the primary violation.
For example, if it turns out that a legal entity is requesting personal data that is incompatible with the purposes of collection, then for the first violation it will have to pay a fine of 60,000 to 100,000 rubles, and for a second violation - from 100,000 to 300,000 rubles.
3. The statute of limitations for bringing administrative liability for violations in the field of personal data has also increased. If previously it was three months, then from March 27, 2021 it will be increased to one year.
| Base | Amount of fine |
| Processing of personal data in cases not provided for by law and incompatible with the purposes of collecting personal data |
In case of repeated violation
|
| Processing of PD without the written consent of the subject |
In case of repeated violation
|
| Failure to fulfill the obligation to publish or provide access to a document defining the policy for processing personal data or information on the protection of personal data |
|
| Failure to provide the subject with PD information on their processing |
|
| Failure to comply with the request of the PD subject or his representative for clarification, blocking, destruction (if the PD is incomplete, outdated, inaccurate, illegally obtained, or is not necessary for the stated purpose of processing) |
In case of repeated violation
|
| Failure to fulfill the obligation to preserve personal data, which led to unlawful or accidental access to personal data and caused their destruction, modification, blocking, copying |
|
| Failure of a state or municipal body to fulfill the obligation to depersonalize personal data; non-compliance with requirements for depersonalization of personal data |
|
An offense such as processing personal data without obtaining the consent of the subject provides for the largest fines for all categories of operators. Thus, in case of repeated violation, the legal entity will have to pay a fine of up to 500,000 rubles.
In this regard, many questions arise. How to notify Roskomnadzor about the processing of personal data? What should a website owner do to avoid fines?
How attackers steal data
Exfiltration, or data theft (exfiltration) is the unauthorized copying, transfer or receipt of data from a victim’s computer or server. Exfiltration can be carried out via the Internet or over a local network. Typically, when transmitting data, attackers compress and encrypt it to avoid detection. Attackers can use command and control servers (often referred to as C&C or C2) and other transmission channels to exfiltrate data from the target system.
The MITER ATT&CK Matrix identifies nine techniques that attackers use to steal data:
- Automated exfiltration
- Data compression
- Data encryption
- Limiting the size of transferred data
- Exfiltration via an alternative protocol
- Exfiltration via C&C server
- Exfiltration through an alternative communication channel
- Physical exfiltration
- Scheduled transmission
Automated exfiltration
Confidential information obtained during the data collection stage is transmitted to attackers using specially created automated scripts. Additional techniques can also be used to transfer information outside the network, such as exfiltration through a command server or exfiltration through an alternative protocol.
Protection
It is difficult to protect against such attacks, since in each system they will have their own individual characteristics and will have vectors based on the configuration and environment of that particular system.
Detection
It is recommended to monitor unusual file accesses and network activity. Unknown processes or scripts that scan the file system, for example by accessing higher-level directories, and send data over the network should be considered suspicious.
Data compressed
Attackers can compress the collected data before exfiltrating it to minimize the traffic transmitted over the network. Compression is performed using specially created or, conversely, publicly available utilities that support compression formats such as 7Z, RAR and ZIP.
Protection
If attackers are sending data over unencrypted channels, then you can use any available network intrusion or data leak prevention system that can block the sending of certain types of files. However, it must be taken into account that attackers can bypass such protection using encryption or encapsulation (injection of transmitted data into legitimate traffic).
Detection
File compression programs and the compressed files themselves can be detected in different ways. For example, common compression utilities (such as 7-Zip or WinRAR) installed on a system or downloaded by attackers can be detected by monitoring the associated processes and known arguments used when running the utilities from the command line. However, it must be taken into account that the number of detections for legitimate use of such utilities can significantly exceed the number of detected malicious operations.
Data encryption
Attackers can encrypt data before exfiltrating it to bypass file content analysis-based protection or make the exfiltration less noticeable compared to other network events. File encryption performed independently of the encryption provided by the data transfer protocol (such as HTTPS) will not allow security measures to determine the type of information being transmitted. Using popular encryption-enabled archiving formats, such as RAR and ZIP, will allow attackers to disguise the data output as a legitimate transfer of compressed files.
Additional techniques can be used to transfer information outside the network, such as exfiltration through a command and control server or exfiltration through an alternative protocol.
Protection
It is difficult to protect against such attacks, since in each system they will have their own individual characteristics and will have vectors based on the configuration and environment of that particular system.
Detection
Encryption programs and encrypted files can be detected in different ways. For example, common encryption utilities installed on a system or downloaded by attackers can be detected by monitoring the associated processes and known arguments used when running the utilities from the command line. However, it must be taken into account that the number of detections for legitimate use of such utilities can significantly exceed the number of detected malicious operations.
The process that loads the Windows library crypt32.dll can be used to encrypt, decrypt, or verify the signature of a file, and also serve as a marker for preparing data for exfiltration.
Data transfer size limits
Attackers can exfiltrate data in fixed-size blocks rather than entire files, or set packet sizes below a certain threshold. This helps attackers bypass security mechanisms that warn when data transfer limits have been exceeded.
Protection
For network-level protection, it is recommended to use network intrusion detection and prevention systems, which can identify traffic typical of malware and C&C servers based on their signatures.
Detection
It is necessary to analyze network activity for unusual data flows (for example, the client sends significantly more data than it receives from the server). If a process maintains a connection for a long time and continuously sends data packets of a certain size, or if it opens connections and sends data packets of a fixed size at regular intervals, then it may be transmitting collected information. If a process is using the network when it usually (or never) does so, the behavior should be considered suspicious. It is also recommended to analyze the contents of packets for atypical use of the protocol or a specific port; for example, Tor traffic can be transmitted under the guise of a Skype video call.
Exfiltration over alternative protocol
Exfiltration is performed using a protocol other than the C&C protocol, such as FTP, SMTP, HTTP/S, or DNS. In this case, the data is sent not to the command server, but to another location chosen by the attacker, for example, to a cloud storage.
Protection
Network traffic filtering: recommended for services such as DNS, ad hoc and proxy servers; allow these services to use only standard ports and protocols.
Network intrusion prevention: For network-level protection, use network intrusion detection and prevention systems that can identify traffic typical of malware and C&C based on signatures.
Network segmentation: use recommendations for securely configuring firewalls; limit the list of ports and data types used for incoming and outgoing traffic.
Detection
It is recommended to use a traffic analysis system (for example, PT Network Attack Discovery) to monitor unusual data flows in the network (for example, when the client sends significantly more data than it receives from the server). If a process is using the network but does not usually (or ever) do so, the behavior should be considered suspicious. It is also recommended to analyze the contents of packets for unusual use of a protocol or a specific port, as in the case of encrypted data transmission using UDP and ports open to Skype.
Exfiltration over command and control channel
Exfiltration is carried out through a command and control server using the same protocol (communication channel) that is used to control data collection, for example through email or a created backdoor.
Protection
Network intrusion prevention: For network-level protection, use network intrusion detection and prevention systems that identify traffic typical of malware using signatures. Signatures are typically unique to a protocol and may be based on specific obfuscation techniques (turning code into a seemingly arbitrary set of data) specific to a particular attacker or tool. They will be different for each malware family or version. Signatures for interaction with C&C servers may change, and attackers may invent new ways to bypass standard security measures.
Detection
It is recommended to use a traffic analysis system (for example, PT NAD) to monitor unusual data flows on the network (for example, when a client sends significantly more data than it receives from the server). If a process uses the network but does not usually (or never) do so, the behavior should be considered suspicious. You can also analyze the contents of packets for unusual protocol or specific port usage.
Exfiltration over other network medium
To exfiltrate data, attackers can use a channel other than the communication channel with the command and control server. For example: if control is carried out via a wired Internet connection, then exfiltration can be carried out via Wi-Fi, modem, cellular, Bluetooth or radio frequency channel. These alternative channels are used if they are not secure or are less secure than other channels in the network environment. When using such exfiltration methods, the attacker must have appropriate access to the Wi-Fi device or radio transmitter (be within range).
Protection
Setting up the operating system: it is necessary to exclude the possibility of creating new network adapters, for example, by restricting rights.
Detection
Monitor processes that don't usually use network connections (or even never use them). For a process to access the network, it typically requires some action from the user, such as pressing a key. Access to the network for no apparent reason is considered suspicious.
Monitor changes to host adapter settings, such as adding or duplicating communication interfaces.
Physical exfiltration (Exfiltration over physical medium)
Under certain circumstances, such as when the network under attack is physically isolated, data exfiltration can be accomplished using a physical device such as an external hard drive, flash drive, mobile phone, or MP3 player. A physical device can be an endpoint for data exfiltration or an intermediary between an isolated system and an Internet-connected system.
Protection
Disabling or removing an unnecessary function or program: disable autostart of programs or services if it is not necessary. Prohibit or restrict the use of removable media as a matter of corporate policy unless it is required for business purposes.
Detection
Control access to files on removable media, as well as the processes that run when removable media is connected.
Scheduled transfer
Data exfiltration can occur at specific hours or at specific intervals. This method allows attackers to hide their activity against the background of standard work operations. For example: data transfer is carried out only on weekdays from 10 to 15 hours, when the majority of workers use the Internet, sending letters and files over the network.
In addition to scheduled exfiltration, other techniques can be used to steal data, such as exfiltration through a command and control server and exfiltration through an alternative channel.
Protection
Network intrusion prevention: For network-level protection, use network intrusion detection and prevention systems that use signatures to identify traffic typical of C&C communications and malware. Signatures are typically unique to a protocol and may be based on specific obfuscation techniques specific to a particular attacker or tool. They will differ for each malware family or version. Signatures for interaction with C&C servers may change, and attackers may invent new ways to bypass standard security measures.
Detection
Monitor file access processes and network behavior. Unknown processes or scripts that attempt to traverse the designated directory and send data across the network may be a sign of malicious activity. Network connections to the same source at the same time several days in a row also require attention.
What should a website owner do to avoid fines?
Step 1. If you have any forms of PD collection on your website, then under each of them you need to add the sentence “I agree to the processing of my personal data” and a checkbox.
Step 2. Accompany the sentence “I agree to the processing of my personal data” with a hyperlink to a document that sets out the conditions for processing personal data. This can be either a user agreement, consent to the processing of personal data, or a contract, privacy policy, part of an offer - the name is not so important.
For example, on the Microsoft website this document is called a privacy statement. Please note that it contains the item “Cookies and similar technologies”: if you use them, you should also warn about this. But on the Adidas website, the text of consent to the processing of personal data is located directly with the registration form, and the link leads to the company’s privacy policy.
Minimize risks: make sure that personal data is protected in accordance with Federal Law 152
Step 3. Prepare the text of the document with the conditions for processing PD. Please provide the following information (in accordance with Article 9 of Federal Law No. 152-FZ):
- Full name, address of the subject of the personal data, number of the main document proving his identity, information about the date of issue of the specified document and the issuing authority;
- name or full name and address of the operator receiving the consent of the PD subject;
- purpose of PD processing;
- list of PD to which the subject consents to be processed;
- name or full name and address of the person processing PD on behalf of the operator, if processing will be entrusted to such a person;
- a list of actions with personal data for which consent is given, a general description of the methods of processing personal data used by the operator;
- the period during which the consent of the subject of the personal data is valid, as well as the method of its revocation (unless otherwise provided by law);
- signature of the subject of the personal data.
If you are drawing up a user agreement based on someone else’s ready-made document, adjust the purposes of data processing and the list of data to suit you and your business.
Step 4. Prepare a Policy regarding the processing of personal data (this obligation of the operator is directly stated in paragraph 2 of Article 18.1 of Federal Law No. 152-FZ) and post it on the website for free access.
Personal data processing policy: how to draw up a document
Step 5. Submit a notification about PD processing to Roskomnadzor. In general, in accordance with Part 1 of Art. 22 of Federal Law No. 152-FZ, the operator must do this before the start of PD processing. But better late than never.
You will not be fined for a delay in notification; sanctions will follow only if Roskomnadzor is interested in you. But even if you send a notification late, indicate the date of state registration as the start date of PD processing.
Cases when notification to Roskomnadzor is not required
There is no need to notify Roskomnadzor if the PD:
- refer to subjects who have labor relations with the operator;
Employee personal data: how to work with it
- received by the operator when concluding an agreement, but are not distributed or provided to third parties without the consent of their subject, that is, used by the operator exclusively for the execution of the agreement;
- are publicly available;
- include only the full names of the subjects of personal data;
- are needed for a one-time pass of the PD subject to the territory where the operator is located, or for other similar purposes;
- included in federal automated PD information systems, state PD information systems created to protect state security and public order;
- processed without the use of automation tools in accordance with federal laws or other regulatory legal acts.
All of the above measures apply to both individuals and legal entities. However, legal entities should take a number of additional measures - organizational, legal and technical.
Confidentiality of personal data: when it does not need to be ensured
In accordance with Part 2 of Art. 22 of Federal Law No. 152-FZ, ensuring the confidentiality of personal data is not required:
- in case of depersonalization of PD;
- in relation to publicly available PD;
- if the data includes only the full names of the subjects of personal data;
- for a one-time pass of the PD subject to the territory where the operator is located (or for other similar purposes);
- if the data is obtained in connection with the conclusion of an agreement to which the PD subject is a party, if the data is not distributed or provided to third parties without the consent of the subject and is used by the operator solely for the execution of the specified agreement and the conclusion of agreements with the PD subject;
- if the data relates to members of a public association or religious organization and is processed to achieve legitimate purposes.
Other types of liability and related sanctions
There is also a civil law type of violation for the transfer of personal data to third parties, Article 15 of the Civil Code, when losses are caused (costs for restoring a violated right, lost income) by circumventing the law. Then the sanction is compensation for the damage caused. When causing moral damage under Art. 24 of the Law on Personal Data, Art. 151 of the Civil Code also provides for its compensation, most often in monetary terms.
Disciplinary liability applies to employees of an enterprise who were caught disclosing and transferring personal data to third parties, Article 81, Part 1, Clause 6, Subclause “c” of the Labor Code, as a result of which dismissal is provided. For other violations in this area, Art. 90 and 192 of the Labor Code implies a reprimand or reprimand.
When you do not need to obtain consent to process personal data
According to clause 2-11, part 1, art. 6. Federal Law No. 152-FZ consent is not required in cases where the processing of personal data:
- carried out on the basis of a federal law establishing its purpose, conditions for obtaining personal data and the range of subjects whose data is subject to processing, as well as defining the powers of the operator;
- carried out for the purpose of fulfilling an agreement, one of the parties to which is the subject of the personal data;
- carried out for statistical or other scientific purposes, subject to mandatory depersonalization of PD;
- necessary to protect the life, health or other vital interests of the subject of the personal data, if obtaining consent is impossible;
- necessary for the delivery of postal items, for telecommunication operators to make payments to users of communication services for services rendered, as well as for considering claims from users of communication services;
- carried out for the purposes of the professional activities of a journalist or for the purposes of scientific, literary or other creative activities, provided that the rights and freedoms of the subject of the personal data are not violated;
- is carried out in relation to data subject to publication in accordance with federal laws, including PD of persons holding public positions, positions of the state civil service, PD of candidates for elected state or municipal positions.
Disclosure of what personal data is criminally punishable (judicial practice)
The practice of courts of general jurisdiction shows that the concept of personal secret is interpreted extremely broadly, and therefore prosecution under Art. 137 of the Criminal Code of the Russian Federation is possible for the disclosure of almost any personal data. The relationship of certain information to personal or family secrets is established on the basis of the testimony of the victim.
For example, the following were recognized as constituting personal secrets:
- Full name, address, passport details, date of birth, subscriber number (resolution of the Sterlitamak City Court of the Republic of Bashkortostan dated April 19, 2012 in case No. 1-249/12);
- details of telephone connections (sentence of the Solikamsk City Court of the Perm Territory dated November 16, 2011 in case No. 1-511/11);
- information about the movements of the car (sentence of the magistrate judge of the Investigative District No. 28 of Samara dated February 25, 2015 in case No. 1-6/2015).
